It does’t matter the size of your organisation or the compliance posture that it must adhere to. Every device on the network should be hardened and maintained. I worked for one of the largest IT companies in the world and it was the only company that had proper Windows Operating System hardening and Security Compliance Management. I also worked for a very large bank and the Security Team numbering in the 50+ just didn’t understand how develop a proper basis line for Security Compliance and copy and pasted information from another IT Vendor! What I am trying to say is . They are different levels of Security Experts..

The above website and tools can be used to develop the require base line for your environments.. The Microsoft Security Compliance manager is the starting point for this process. You can use this software to understand all the settings and then export them into a Group Policy that can be used to harden the Operating System. Once you have a policy setup, you need to maintain that posture using Desired State management and Continuous Monitoring

Desired State

Using Group Policy is the best method to insure the settings are applied to all servers. You can also use System Center Configuration manager Desired State management and puppet to monitor and alert on these settings..

Security Scanners

Once you have the base policy using the above methods, You need to run a two types of scanners on your base OS.. The first is to use a Security Scanner against your OS and make adjust as required.. The other one I recommend is to run a tool to check and update all your software on the base OS image.. Key tool to use is Nessus which can be configured to scan and alert on items for PCI compliance,etc..

The follow three tools are required to create a sold secure SOE: These tools are NIST Security Content Automation Protocol (SCAP 1.2) Validation approved tools.

Complexity of Application Presentation/Streaming and Distribution

I wanted to highlight and explain the complexity of designing Application Deployment and Management for Windows Desktops and VDI environments in a single diagram.

(opps, I mean Microsoft 🙂

Update 02/04/16 Adding a few Application Deployment Options

Click Once Applications

Container Applications (AppZerto)

Application Layer (e.g. Citrix AppDisk.)

There are so many options for Application Deployment and they are all very complex and architecturally different and affects the user interaction with the application.

You can also have combination of these application deployment and management technologies. Example Citrix XenApp + AppV + SCCM.

The core problems is Usability, when you design such complex solutions its almost impossible to guarantee the same level of usability as a locally installed application which is what the end user is expecting.. (Example of usability – Copy/Pase, Print, Content sharing,etc)

Combining this with the complexity of User State and profile management options, it is no wonder many VDI projects fail and cause major frustrations for end users.

[Update 07.11.2014] – I saw information on Cloudvolumes,com, when it was released, but, they didn’t release any information. Until VMware acquired them. I think this is the future of Application Deployment – VMWare AppVolumes. This essentially can solve this complexity. Al thought, how it handles, upgrades, conflicts,etc Needs to be tested. I can’t wait for Microsoft to come up with a similar solution. –

Since writing this article and doing some more research on VMWare AppVolumes and UniDesk. http://www.unidesk.com/software, could solve the problem of delivering applications and maintaining Microsoft and Application updates.

NOT Installed – In Server Manager select Features, Add Features, Select .NET Framework 3.5, also select WCF Activation and when prompted answer Add Required Role Services click next and next again. (Make sure the BIT and IIS service is running/restart after install).

Microsoft SPLA licensing for Windows 8

This is a subject that is always a discussion in almost all DaaS opportunities. Can a Microsoft MSP provide Windows 8 OS. The quick Answer is NO. Microsoft MSP/ SPLA licensing only covers Windows SERVER Operating Systems. (I won’t go into the all the different FlexCast models here and stick with providing a dedicated OS for users.)

However, there is a way a Microsoft MSP can provide Windows 8. Here is a quick guide:

The goal of Windows Virtual Desktop Access is to simplify licensing requirements in a virtual environment by licensing the devices that seek access to virtual desktops, instead of licensing the virtual desktops themselves.

Because VDA is included as a feature of Software Assurance (SA), primary users of devices covered by SA can access their virtual desktops at no extra charge. Microsoft defines a primary user as someone who has used the computing device for more than 50% of the time in a 90 day period.

If the user wishes to access a Microsoft VDI from a device that is not covered by Software Assurance, however, a separate Windows VDA license is required. Such devices include thin clients, zero clients and third-party devices such as contractor-owned PCs. As of this writing, a separate VDA license costs $100 per year, per device.

The Microsoft MSP must provide the Windows 8 OS on DEDICATED hardware and not shared infrastructure with any other customer. Which cannot be used to provide any kind of service to any other customer of the service provider. Microsoft advise the dedicated-hardware requirement applied to all of the hardware utilised to provide the solution to the customer: servers, storage and, presumably, switching infrastructure as well.

Windows 8 can be used for Rental Desktops can not be used either. Remote access. Rental Rights do not allow for remote access to software. Microsoft Rental Rights are a simple way for companies to rent, lease, or outsource desktop PCs with Windows desktop operating system and Microsoft Office licenses to third parties (such as Internet cafés, hotel and airport kiosks, business service centers, and office equipment leasing companies) through a one-time license transaction valid for the term of the underlying software license or life of the PC. Solidify your role as trusted advisor by helping your customers be in compliance, by using an additive license that fits their business model—without requiring special tools, processes, reporting, or paperwork.

Definition of Severity Levels

Severity Definitions are intended to provide guidance on correct assignment of severity levels in the event of an incident.

Sev 1 The product, service or channel is unavailable or unusable with NO planned and agreed sustainable workaround

The problem may be directly impacting either:

· External customers’ ability to interact with the customer

· Customers’s ability to service its customers

· The Business unit’s production workflow

The product, service or channel must be classified as business critical (eg it needs to be available within 24 hours of a disaster)

Sev 2 The product, service or channel is available however functions are restricted or degraded

Significant exposure may exist. Business can continue to operate at a reduced capacity while the problem exists.

Sev 3 The product, service or channel is available with no immediate impact to external or internal customers

Acceptable workaround is in place. The business can continue to operate at full or close to full capacity while the problem exists.

1. CIO Override – a vulnerability that poses a serious threat to the Customer, is wormable (i.e. Sasser
Virus) and code is in the wild and available to hackers. 247 to put this on the environment.
2. Critical – a vulnerability that poses a serious threat to , is typically wormable (i.e. Sasser Virus),
however code is not in wild as yet. Normal business hours to deploy this on the environment.
3. Important – vulnerability that poses a threat to is typically vulnerability that needs to be initiated
within and is local to the workstation. Normal business hours to deploy this on the environment.
4. Moderate – a minor vulnerability may pose a threat to . Usually patched to keep the platform
current. This type of patch will only be deployed if is deploying other hot fixes, otherwise it is deployed in the next Enterprise release.